Hi, 2005-06-21, k keltezéssel 11.35-kor Mohammed Riyaz ezt írta:
Yes, this is probably a bug in tproxy. Could you post the contents of the /proc/net/tproxy file?
The server crashed yesterday once more in the evening. This time we have been monitoring the server and the logs clearly show the increase in conntrack entries.
Do you have any patches applied on 2.6.10 apart from tproxy? Vanilla 2.6.10 had a TCP connection tracking bug which caused some TCP connections linger in the conntrack table for way too much time. Please take a look at the original tproxy for 2.6.10 announcement in the mailing list archives: https://lists.balabit.hu/pipermail/tproxy/2005-February/000171.html The netfilter-devel post with the patch was: https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.h...
The box has 512MB ram and the max conntrack value is set to 32000
Although this value depends on your traffic pattern, I'd say 32000 is a bit too low for a dedicated squid proxy. With 512MB RAM you could safely set that to a higher value (64k for example).
This is the contents of the /proc/net/tproxy taken today morning.
Nothing suspicious here, so I'd wait for your experience with the 2.6.10 TCP conntrack patch. -- Regards, Krisztian Kovacs